A Hybrid Anomaly–Rule–Pattern Detection Framework for Streaming-Based Persistent Intrusion Detection
Abstract
Contemporary network systems suffer stealthy, persistent cyber-attacks such as low-rate distributed denialof-service (DDoS) attacks and slow brute force logins which can commonly elude traditional intrusion detection systems (IDS). This paper demonstrates the Hybrid Anomaly–Rule–Pattern Detection Framework for Streaming-Based Persistent Intrusion Detection to improve the system resilience against persistent threats. The model incorporates three cooperating modules: Anomaly Detection Module, which adopts unsupervised outlier methodologies (Isolation Forest, LODA and HBOS) for statistical deviation detection;Rule-Based Module that encapsulates Snort-3.0 style signatures together with behavioral heuristics of known attack classes; and finally the Pattern Recognition Module which employs hierarchical clustering with cosine similarity to link recurring temporal behaviors across sliding windows. Weighed Ensembles of multi-source alerts are fused to high-confidence Meta-Alerts in real-time. Experiments on a setof benchmarks CICIDS2017 and UNSW-NB15 show performance improvements over baseline SOAAPR, which yields Precision = 91.3%, Recall = 94.2%, F1-score = 0.93, False Positive Rate = 3.7%, Detection Latency = 1.21 s and Persistent Attack Detection Rate=88.4%. The statistic analysis results show thatthe hybrid approach composed of statistical, rule-based and temporal pattern analyses implemented with modular streaming architecture has a very higher accuracy and flexibility in detecting stealthy or emerging cyber threats than in traditional real-time networking environment.References
A. Pakmehr, A. Aßmuth, N. Taheri, and A. Ghaf-
fari, “Ddos attack detection techniques in iot net-
works: a survey,” Cluster Computing, vol. 27,
no. 10, pp. 14 637–14 668, 2024.
O. M. A. Ali, R. A. Hamaamin, B. J. Youns,
and S. W. Kareem, “Innovative machine learning
strategies for ddos detection: A review,” UHDJournal of Science and Technology, vol. 8, no. 2,
pp. 38–49, 2024.
P. Shukla, C. R. Krishna, and N. V. Patil, “Iot
traffic-based ddos attacks detection mechanisms:
A comprehensive review.” Journal of Supercom-
puting, vol. 80, no. 7, 2024.
H. M. Alqahtani and M. Abdullah, “A review on
ddos attacks classifying and detection by ml/dl
models.” International Journal of Advanced Com-
puter Science & Applications, vol. 15, no. 2, 2024.
D. M. A. A. Afraji, J. Lloret, and L. Pe˜nalver,
“Deep learning-driven defense strategies for mit-
igating ddos attacks in cloud computing envi-
ronments,” Cyber Security and Applications, p.
, 2025.
H. Satilmi¸s, S. Akleylek, and Z. Y. Tok, “A
systematic literature review on host-based intru-
sion detection systems,” Ieee Access, vol. 12, pp.
237–27 266, 2024.
M. Jain and A. Srihari, “Comparison of machine
learning algorithm in intrusion detection systems:
A review using binary logistic regression,” Au-
thorea Preprints, 2025.
DOI:
https://doi.org/10.31449/inf.v49i36.12171Downloads
Published
How to Cite
Issue
Section
License
Authors retain copyright in their work. By submitting to and publishing with Informatica, authors grant the publisher (Slovene Society Informatika) the non-exclusive right to publish, reproduce, and distribute the article and to identify itself as the original publisher.
All articles are published under the Creative Commons Attribution license CC BY 3.0. Under this license, others may share and adapt the work for any purpose, provided appropriate credit is given and changes (if any) are indicated.
Authors may deposit and share the submitted version, accepted manuscript, and published version, provided the original publication in Informatica is properly cited.
